Posts

Is Your Firewall Ready for the IoT Era? The 3 Tough Questions to Ask

My wife was out of the country recently, so I took the opportunity to nudge our house a little further into the 21st century by installing a Nest thermostat. It won’t solve my family’s disagreements about the temperature, but it’s a cool gadget that makes me feel like I’m modernizing a house that was built well into the last century.

The thermostat is just one of many smart devices on the market that connects to the internet and your local network — whether that’s at home, the office or your business. In this case, it’s connecting via Wi-Fi to my home firewall, so I know it’s secure.

But is that the case for all the Internet of Things (IoT) devices out there? The number of connected “things” that need to be secured continues to grow — cars, TVs, watches, wearables, refrigerators, security cameras. And these are just a few examples.

By the end of 2018, statistics research company Statista expects the installed base of IoT devices to exceed 23 billion, increasing to almost 31 billion in 2020. That’s a whole lot things that can connect to your organization’s network, and it doesn’t include all the PCs, laptops and phones we use daily. Some connect to a firewall or router through an Ethernet cable, while others connect over wireless. Whether they’re tethered or not, more connected devices means more risk.

To help secure the flow of traffic across networks, organizations have increasingly been turning to the use of Transport Layer Security and Secure Sockets Layer (TLS/SSL) encryption.

In fact, SonicWall recently noted in its 2018 Cyber Threat Report that almost 70 percent of connections are now encrypted. Like sales of IoT devices, the number of HTTP sessions continues to climb. While this is generally a good thing, cyber criminals are also using encryption to hide their attacks.

How to secure IoT devices connecting to my network

So, what steps can you take to make sure all your devices can connect securely to your organization’s network? Here are three questions you should address:

  1. Can my firewall decrypt and scan encrypted traffic for threats?
    As I mentioned earlier, the use of encryption is growing both for good and malicious purposes. More and more, we’re seeing cyber criminals hiding their malware and ransomware attacks in encrypted sessions, so you need to make sure your firewall can apply deep packet inspection (DPI) to HTTPS connections, such as DPI-SSL
  2. Can my firewall support deep packet inspection across all my connected devices?
    Someone told me the other day that very soon each person will have an average of 13 connected devices. That’s a lot of potential devices connecting to your network. Now think of all the encrypted web sessions each device might have. You need to make sure your firewall can support all of them while securing each from advanced cyber attacks. Having only a high number of stateful packet inspection connections doesn’t cut it any more. Today, it’s about supporting more deep packet inspection connections.
  3. Can my firewall enable secure high-speed wireless?
    OK, this one sounds simple. Everyone says they provide high-speed wireless. But are you sure? The latest wireless standard is 802.11ac Wave 2, which promises multi-gigabit Wi-Fi to support bandwidth-intensive apps. Access points with a physical connection to the firewall should have a port capable of supporting these faster speeds. So should the firewall. Using a 1-GbE port creates a bottleneck on the firewall, while 5-GbE and 10-GbE ports are overkill. Having a 2.5-GbE port makes for a good fit.

SonicWall NSa next-generation firewalls

If you’re not sure you can answer “Yes” to these three questions about your current firewall thenSonicWall NSa series.

We’ve recently introduced several new models for mid-sized networks and distributed enterprises with remote and branch sites. The new NSa 3650, NSa 4650 and NSa 5650 join the NSa 2650, which SonicWall released last September. All four models deliver the automated real-time breach detection and prevention today’s organizations need.

SonicWall NSa next-generation firewalls now include NSa 3650, 4650 and 5650 offerings.

Here are a few of the key features the NSa series offers:

  • Cloud-based, on-box threat protection – Staying ahead of sophisticated attacks requires a more modern approach that heavily leverages security intelligence in the cloud. NSa series next-generation firewalls integrate two advanced security technologies — our patent-pending Real-Time Deep Memory InspectionTM and patented Reassembly-Free Deep Packet Inspection‚ which deliver cloud-based, on-box threat protection.
  • High connection count – The NSa series enables a very high number of deep packet inspection (DPI) and deep packet inspection of TLS/SSL-encrypted (DPI-SSL) connections.
  • High port density – The NSa series provides high port density, ranging from 20 physical ports on the NSa 2650 up to 28 on the NSa This high port density enables more devices to connect directly to the firewall without the need for a switch.
  • 5-GbE ports – NSa series firewalls include multiple 2.5-GbE interfaces, an industry first for firewalls. The 2.5-GbE interfaces enable faster wired throughput speeds while also supporting the requirements for 802.11ac Wave 2 wireless access points including the SonicWall SonicWave series of 802.11ac Wave 2 indoor and outdoor access points.
  • 10-GbE ports – NSa series firewalls (except NSa 2650) also include multiple 10-GbE interfaces to support faster data rates for the delivery of bandwidth-intensive applications over longer distances.
  • Onboard storage – Each NSa series firewall includes a pre-populated storage module ranging from 16 GB on the NSa 2650 up to 64 GB on the NSa The storage enables support for various features including logging, reporting, last signature update, backup and restore and more.

Even if you answered “Yes” to some or all of the questions, it’s still a good idea to see if you’re getting the most from your firewall. Learn more about the SonicWall NSa series, and how you can get high-speed wired and wireless security across all your connections, encrypted and unencrypted.

Is Your Firewall Ready for the IoT Era? The 3 Tough Questions to Ask

My wife was out of the country recently, so I took the opportunity to nudge our house a little further into the 21st century by installing a Nest thermostat. It won’t solve my family’s disagreements about the temperature, but it’s a cool gadget that makes me feel like I’m modernizing a house that was built well into the last century.

The thermostat is just one of many smart devices on the market that connects to the internet and your local network — whether that’s at home, the office or your business. In this case, it’s connecting via Wi-Fi to my home firewall, so I know it’s secure.

But is that the case for all the Internet of Things (IoT) devices out there? The number of connected “things” that need to be secured continues to grow — cars, TVs, watches, wearables, refrigerators, security cameras. And these are just a few examples.

By the end of 2018, statistics research company Statista expects the installed base of IoT devices to exceed 23 billion, increasing to almost 31 billion in 2020. That’s a whole lot things that can connect to your organization’s network, and it doesn’t include all the PCs, laptops and phones we use daily. Some connect to a firewall or router through an Ethernet cable, while others connect over wireless. Whether they’re tethered or not, more connected devices means more risk.

To help secure the flow of traffic across networks, organizations have increasingly been turning to the use of Transport Layer Security and Secure Sockets Layer (TLS/SSL) encryption.

In fact, SonicWall recently noted in its 2018 Cyber Threat Report that almost 70 percent of connections are now encrypted. Like sales of IoT devices, the number of HTTP sessions continues to climb. While this is generally a good thing, cyber criminals are also using encryption to hide their attacks.

How to secure IoT devices connecting to my network

So, what steps can you take to make sure all your devices can connect securely to your organization’s network? Here are three questions you should address:

  1. Can my firewall decrypt and scan encrypted traffic for threats?
    As I mentioned earlier, the use of encryption is growing both for good and malicious purposes. More and more, we’re seeing cyber criminals hiding their malware and ransomware attacks in encrypted sessions, so you need to make sure your firewall can apply deep packet inspection (DPI) to HTTPS connections, such as DPI-SSL.
  2. Can my firewall support deep packet inspection across all my connected devices?
    Someone told me the other day that very soon each person will have an average of 13 connected devices. That’s a lot of potential devices connecting to your network. Now think of all the encrypted web sessions each device might have. You need to make sure your firewall can support all of them while securing each from advanced cyber attacks. Having only a high number of stateful packet inspection connections doesn’t cut it any more. Today, it’s about supporting more deep packet inspection connections.
  3. Can my firewall enable secure high-speed wireless?
    OK, this one sounds simple. Everyone says they provide high-speed wireless. But are you sure? The latest wireless standard is 802.11ac Wave 2, which promises multi-gigabit Wi-Fi to support bandwidth-intensive apps. Access points with a physical connection to the firewall should have a port capable of supporting these faster speeds. So should the firewall. Using a 1-GbE port creates a bottleneck on the firewall, while 5-GbE and 10-GbE ports are overkill. Having a 2.5-GbE port makes for a good fit.

SonicWall NSa next-generation firewalls

If you’re not sure you can answer “Yes” to these three questions about your current firewall it may be time to revisit your security strategy. One solution you should look at is the SonicWall NSa series.

We’ve recently introduced several new models for mid-sized networks and distributed enterprises with remote and branch sites. The new NSa 3650, NSa 4650 and NSa 5650 join the NSa 2650, which SonicWall released last September. All four models deliver the automated real-time breach detection and prevention today’s organizations need.

NSa Series

SonicWall NSa next-generation firewalls now include NSa 3650, 4650 and 5650 offerings.

Here are a few of the key features the NSa series offers:

  • Cloud-based, on-box threat protection – Staying ahead of sophisticated attacks requires a more modern approach that heavily leverages security intelligence in the cloud. NSa series next-generation firewalls integrate two advanced security technologies — our patent-pending Real-Time Deep Memory InspectionTM and patented Reassembly-Free Deep Packet Inspection‚ which deliver cloud-based, on-box threat protection.
  • High connection count – The NSa series enables a very high number of deep packet inspection (DPI) and deep packet inspection of TLS/SSL-encrypted (DPI-SSL) connections.
  • High port density – The NSa series provides high port density, ranging from 20 physical ports on the NSa 2650 up to 28 on the NSa This high port density enables more devices to connect directly to the firewall without the need for a switch.
  • 5-GbE ports – NSa series firewalls include multiple 2.5-GbE interfaces, an industry first for firewalls. The 2.5-GbE interfaces enable faster wired throughput speeds while also supporting the requirements for 802.11ac Wave 2 wireless access points including the SonicWall SonicWave series of 802.11ac Wave 2 indoor and outdoor access points.
  • 10-GbE ports – NSa series firewalls (except NSa 2650) also include multiple 10-GbE interfaces to support faster data rates for the delivery of bandwidth-intensive applications over longer distances.
  • Onboard storage – Each NSa series firewall includes a pre-populated storage module ranging from 16 GB on the NSa 2650 up to 64 GB on the NSa The storage enables support for various features including logging, reporting, last signature update, backup and restore and more.

Even if you answered “Yes” to some or all of the questions, it’s still a good idea to see if you’re getting the most from your firewall. Learn more about the SonicWall NSa series, and how you can get high-speed wired and wireless security across all your connections, encrypted and unencrypted.

Home Automation Security: Is it too late?

In a casual conversation with my realtor friend, I learned that many upscale tract builders now include home automation to increase margin. We’ve come a long way since the X10 days.

Home automation is still a splintered industry. No end-to-end solutions exist. There are, of course, the commercial integrators targeting custom estates with project cost measured in the percentage of home values.

The value of these integrators is that these specialized vendors found various sub-systems that work well together. These solutions are often around for decades. The security works by virtue of being discrete systems interconnected via serial copper links, some with odd protocols like bit banging. These are easy to hack, but one needs physical access. We have not heard of many breaches for that reason.

Apple, Amazon Change the Game

But with Apple HomeKit and Amazon Echo, the world changed dramatically. From a vendor’s perspective, solutions such as HomeKit significantly decrease the complexity of a product. A HomeKit vendor only focuses on contributing a small part of a solution, which can be as small as a single light bulb. HomeKit brings it all together.

Some devices have built-in Ethernet or Wi-Fi interfaces, but many speak some proprietary wired or wireless protocols and use a small device called a “bridge” or a “hub” to translate to a central controller. I actually like the bridge approach. It brings many legacy players into the consumer arena with very solid solutions.

Echo and HomeKit are not the only controllers in town. There are many many other products from old dogs, such as HomeSeer, to new vendors, like Wink, popping up each day. Some are already exiting. Any of these devices can be grouped into on-prem and cloud solutions.

Home automation: On-prem or in the cloud

On-prem controllers theoretically can be deployed with air-gap. They do not need internet access other than for optional remote access and software updates, and perhaps initial licensing. Cloud controllers need internet access to work. If you lose access to the internet, devices stop working.

Complexity doesn’t end there. Since vendors came up with bridges and hubs, it does not cost them much more to add out-of-the box siloed cloud access, giving consumers an instant plug-and-play experience without the need of a controller. Consumers appreciate the ease of deployment, but need an app for each island.

Geeks like me appreciate the APIs into these bridges, which provide the same benefits as systems that used to cost into the tens of thousands of dollars.

3 Best Practices for Home Automation Security

How do we secure all of this? Because of the diversity of systems around, I cannot give a flat response. Here are some basic tips:

  1. Unique emails and passwords. First, give anything with cloud access a very secure password registered to an email account that is not used for anything else and not generally known.
  2. Secure and segment Wi-Fi access. Secure the home network very thoroughly with a strong Wi-Fi password. Add an isolated guest network for devices outside the family. This goes, of course, with solid perimeter controls, such as gateway antivirus (GAV) and intrusion prevention systems (IPS).
  3. Implement network isolation. This can be challenging. Many systems need client devices — smart phones, bridges and controllers — to all be in the same broadcast domain.For instance, HomeKit uses an Apple TV as a remote access hub to HomeKit devices within the broadcast domain.  Firewalls can be still deployed here, but in L2 bridged mode. Luckily, bridges typically use HTTPS, SSH, telnet and HTTP to communicate, in that order. Occasionally, you see some odd sockets. But, mostly, we can control them via SPI rules and apply IPS on common services. L2 segmentation is the key word here, such as Native Bridge support in SonicOS 6.5.

It will be very exciting to observe the consumer home automation industry mature — both from capabilities and security. You will hear more from us in the coming quarters as SonicWall takes a special interest in IoT.

Practical Defense for Cyber Attacks and Lessons from 2017 SonicWall Annual Threat Report

The 2017 SonicWall Annual Threat Report, published last week, covers the evolution of the cybersecurity landscape through 2016. Based on the data from the SonicWall Capture Labs Threat network, the report highlights the advances of the criminal and the defense sides of the global cyber security landscape.

For example, law enforcement apprehended the writers of the popular Angler exploit kit and POS malware dropped significantly, as the industry adopted better security practices and technology. This prompted a wholly expected move from the malware writers as they shifted their efforts into new opportunities ripe for profit –such as ransomware, which emerged as the attack of choice for 2016. Read SonicWall President and CEO, Bill Conner’s, Annual Threat Report blog from last week for a great overview.

We can track much of this evolution in the cybersecurity landscape with the mantra “follow the [easy] money.” In other words, the majority of attacks will move to where the attackers can make the most money with the least amount of effort. A good method of defensive security thinking, therefore, is “How can I make it significantly more difficult for someone to make money off me and my network than from someone else on the Internet?” This may remind some readers about the joke where you have to outrun the other person, not the bear, in order to survive.

So how do you stay ahead?

Go through the following checklist and evaluate whether you are an easy target:

  1. Cover the known attacks: This is foundational. Prevent previously seen malware from being deployed against your users by the lazy attackers who are just looking for an easy opportunity. Protect *all* networks in your organization including small branch offices and remote workers. You must treat those as you would treat your primary corporate site; otherwise, you have a soft side in your defense with a direct route back to your network. Top-notch gateway anti-malware, intrusion prevention and botnet traffic filtering will help you cover these previously-seen threats.
  2. Cover the unknown attacks: Now you are looking for advanced malware. This is the cutting edge. Network sandboxing technology analyzes suspicious files to detect malware that has not yet been observed, studied and classified. For example, if network sandboxing observes bad behavior from a suspicious file, such as encrypting everything in sight or an MS Word document that opens network connection, it can rule with a high degree of confidence that the file is malicious.
    • A few critical points about network sandboxing:
    • a. Invest in evasion-resistant sandboxing technologies. By combining multiple sandboxing technologies, you reduce the probability of evasion virtually to zero. This is analogous to running an MRI, a CAT scan and an X-ray simultaneously. Attackers know that sandboxing is starting to be widely deployed, so they look to evade low-tech “checklist” type sandboxes.
    • b. Invest in sandboxing that does not just ring the alarm, but also blocks the threat. Otherwise, you just receive a notification that an advanced piece of malware got through two minutes ago and “Good Luck!” Technology must work for you – sandboxing must block until it reaches a verdict on the unknown file.
    • c. Deploy everywhere – network and email: Our Threat Report found that the most popular payload for malicious email campaigns in 2016 was ransomware (Locky, deployed by Nemucod). You must look for known and unknown malware in your network and email/messaging traffic to cover all your bases.
  3. Cover known and unknown attacks inside encrypted traffic: How much of your traffic is SSL/TLS or SSH? 20%? 50%? 70%? Whichever percentage is correct for you, that is the amount of network traffic that you’re letting in un-inspected if you do not actively intercept that traffic. Malware writers know that this is emerging as the soft spot in many networks. Cover all your bases by looking for known and unknown malware inside of encrypted channels.
  4. Establish a ring of trust by segmenting off your IoT devices: A camera is a computer that can record and send video. A thermostat is a computer that controls temperature. A phone is a computer that can make phone calls. A “smart” refrigerator is a… you get the point. You cannot escape the proliferation of IoT devices in your network, and while the IoT vendors are wrapping their heads around security, you can control your IoT risk by segmenting those devices from the rest of your real network. Grant access on an as-needed basis.

Ransomware Attack Attempts

After reading the full 2017 SonicWall Annual Threat Report, evaluate whether your current network, email and mobile defenses cover the points above and keep you ahead of the attackers. Can they make easy money off you and your users?

SonicWall has technologies that can make you a significantly more difficult target by automating advanced protection and by turning breach detection into breach prevention.

SonicWall Next-Generation and UTM firewalls help to look for known and unknown threats on the network, on both unencrypted and on SSL/TLS encrypted traffic. SonicWall’s line of Access Security solutions can secure mobile users and facilitate proper network and IoT device segmentation.

SonicWall Capture ATP is an award-winning network sandboxing service that runs on SonicWall firewalls and Email Security 9.0 products. Capture utilizes multiple analysis engines with block-until-verdict capability, ensuring that unknown malware does not get through and impact your business. Due to the cloud nature of the service, the intelligence collected from the SonicWall Email Security product line strengthens the protection for firewall users and vice versa – it is a self-reinforcing, learning network.

Simple Tips for Network Sanity: Patch Tuesday, Exploit Wednesday and Uninstall Thursday

Today I’d like to talk a little bit about our partnership with Microsoft and patch management. In a previous life I was a network/sysadmin. A brief description of that role was “If it has a blinking light on it, I am responsible for it,” which meant on most days I felt like I was living in the middle of a sci-fi movie, surrounded by demanding technology.

When you live in a hair-on-fire environment like that, keeping up with Microsoft patches can be painful. You can set them to automatically download and install and you should be good, that is unless the patch breaks something or even worse – it breaks everything.

When you have business-critical applications that are legacy or just plain old, patching can break them. If that app in question is the bread and butter of the business, patching can bring down the entire company. On the other hand, not patching for known vulnerabilities can be just as bad, if not worse.

There is an old saying: Patch Tuesday, Exploit Wednesday, and Uninstall Thursday.  Microsoft normally releases patches on the second Tuesday of the month, so Exploit Wednesday is when the cyber criminals have analyzed the details from Tuesday and deliver code to exploit the systems that haven’t been updated. Uninstall Thursday is the day you finally figure out that it was the Tuesday patch that broke your mission-critical system and you need to uninstall it to get things back to normal.

To say it is a Catch-22 would be an understatement. How do you stop the insanity? We, SonicWall, have partnered with Microsoft in a program call MAPP. Microsoft gives us  advance knowledge of what will be patched prior to Tuesday so that we have signatures in place to protect our customers who just can’t patch on Tuesday.

Should you patch on Tuesday? Yes, you should absolutely patch on Tuesday or any other day Microsoft releases a patch. But if there are times you just can’t, we can help protect you until you can. Assisting with patches is one of the many little things we have been doing quietly in the background for years that most people are unaware of. Now you know we have you covered when you are stuck in this Catch-22. The biggest take away is that you should patch. I can’t stress that enough: patch, patch, patch! But if you can’t, know that we are already behind the scenes, helping to keep your network safe.

Visit SonicWall GRID Threat Network for MAPP bulletins.

For the Security Advisories for MAPP, you can click here.

Are Campus Defenses Keeping Up with Attacks from the Cyber Netherworld?

I took a computer science minor when I was in college. Back then, the school computers were in a heavily secured section of one building, and we accessed them from teletype terminals and punch card readers (no, we did not use charcoal on slates by the fireplace in the log cabin!). There was no reason to worry about the security of our computer work, other than needing to stay on the good side of the staff of the computer center so that they wouldn’t reshuffle our punch cards or “misplace” our printouts.

Fast forward more than a few years, when I was doing graduate work at a public university. I took 30 credits online, using recordings of on-campus classes, regular chat sessions with my instructors and fellow students, and accessing research information, including public and professionals-only data sources, through the school’s online library system and its global connections. I didn’t pay too much attention to the security of my online activities; internet connectivity made them possible, but there weren’t nearly the number of bad actors out on the net that there are today.

Today my son is in college, and it’s natural for him to select a mix of online and in-person classes, even though his school is a short drive away. He relies on his school’s IT infrastructure for classwork, exams, registration, and research, and can access these functions as well as find out anything about what is available on the internet–from his laptop or smartphone. And every one of those transactions takes place in a space that is just seething with cyber muggers, burglars, and every variety of malicious actor you can imagine.

Information is the stock in trade of colleges and universities. Information enables students to pursue their degrees, faculty to teach and research, and staff to keep these institutions running. Much of the information has real value in the cyber netherworld, whether it’s personally identifiable information of students, proprietary research conducted with other schools and industry partners, or financial transactions.

Keeping this information secure is a challenge. In a recent Center for Digital Education survey of higher education IT professionals, 72 percent listed data breaches among their greatest current network security concerns. Their top security concerns for the year ahead? Spam, phishing, and malware. What’s standing in the way of better network security? More than four out of five pointed to budget constraints.

Keeping campus networks secure in the face of ever-increasing growth of data, devices used to access that data, and cyber threats requires more effective and more cost-effective security. To learn more about what’s keeping campus IT leaders up at night, and what they’re doing about it, view our on-demand webcast, Network Security in Education: The changing landscape of campus data security.

WAN Acceleration on the Back Burner? Time to Move It Up

In our last blog we talked about the benefits of adding WAN acceleration into a network to accelerate and improve application performance. What I’ve observed from talking with others in the industry is most IT administrators understand the benefits of adding WAN acceleration. However because of deployment costs, ongoing maintenance and/or security concerns around how to deploy WAN acceleration solutions, some IT organizations are just abandoning or always placing those projects on the proverbial back burner.

Initial POC or deployment can be a major issue to deal with as IT would need to determine how to physically put the WAN acceleration device in place on the network to ensure it can improve application performance, then determine which traffic type should be routed to it for acceleration, all while not breaking or interrupting business critical applications. I guess one other option could be to put the acceleration device inline and route all network traffic through it, but that would include traffic that cannot be accelerated.

Then there’s the matter of learning the management interface of a new product. This will take time to ensure the IT staff is trained up and understands all the complex configuration options available within the acceleration solution. From there the challenge will be not only dealing with the deployment and management at the headquarter location, but what about all the remote offices? For those, someone from the IT group will have to not only do the initial setup, but also provide some level of ongoing management and monitoring. For a small deployment this may not be an issue, but for larger deployments this could become complex. There may be options to provide central management, but that would involve setting up yet another console, which may have its own set of complexities or limitations.

Finally, there’s the security aspect of adding WAN acceleration. If the customer is leveraging VPN within a next-generation Firewall (NGFW), where do you put the acceleration device? If you decide you want to put the device outside the VPN termination point, then no acceleration can happen because the traffic is encrypted and for all practical purposes cannot be accelerated. The other option is to put the acceleration device behind the NGFW/VPN combination, however this causes issues because the traffic that is being accelerated will not be able to be scanned for threats by the NGFW. This again becomes another headache for the IT administrators to deal with or think about addressing before a WAN acceleration solution can be introduced into a network.

The combined solution of the  SonicWall WAN Acceleration (WXA) and  SonicWall Next-Generation Firewall can help reduce the complexity of initial deployment, ongoing management and security of introducing WAN acceleration into a network environment. Integrated as part of SonicOS operating system, the WXA management is done through the same web UI, so all of the security, VPN and acceleration features can be controlled from the same management interface. For customers that have multiple offices, consolidated management is possible using the SonicWall Global Management System for environments that have deployed multiple firewalls and WXA appliances.

Network provisioning of the WXA is less complex as one of the firewall interfaces is dedicated specifically for the WXA appliance. Auto-provisioning reduces the complexity of initial deployment and ongoing management of the WXA solution. Traffic controls on the firewall ensure that only traffic that can be accelerated is sent over to the WXA to be accelerated.

Finally, since the WXA is integrated as part of the SonicWall NGFW, traffic that is sent between offices or destined to be cached is scanned by the  SonicWall Deep Packet Inspection engine which includes intrusion prevention, anti-malware scanning detection and prevention ensuring a higher level of security. Leveraging the SonicWall WXA/NFGW combination can help ensure an easier deployment, lowering ongoing maintenance cost without sacrificing security.

To learn more about the benefits of WAN acceleration and how SonicWall WXA series solutions can help you achieve them, read our eBook titled “10 ways to securely optimize your network.”

download ebook

Network Security Designs for Your Retail Business

The 2015 Verizon Data Breach Investigations Report (DBIR) estimate of $400 million financial loss from security breaches show the importance of managing the breaches and ensuring appropriate security infrastructure is put in place. Retail industry saw high-profile retail breaches this year through RAM scraping malware aimed at point-of-sale (POS) systems. The security breaches affect both large and small organizations. According to Verizon 2015 DBIR, attackers gained access to POS devices of small organizations through brute-force while larger breaches were a multi-step attack with some secondary system being breached before attacking the POS system. This article highlights the key design considerations to build and deploy a secure, scalable and robust retail network.

Secure Network Design Considerations

Organizations need to ensure that their networks are resilient, secure and robust. Security solution put in place must not be a knee-jerk reaction to an attack but rather a comprehensive protection solution. A typical retail location requirement includes support for POS systems, Guest Wi-Fi access, Employee access to restricted resources, third party vendor access to limited resources and reliable Internet connection with no downtime. Given these requirements, following strategies are recommended in the retail network design –

1. Network Segmentation – It is important to segment the retail network into multiple networks. This ensures that an attack on a particular device in a network does not infest the entire network. A simple, flat network design is an easy access for an infested POS terminal to bring the entire network down. Create separate networks for – POS terminals, Guest Wi-Fi devices, Employee access to restricted information and 3rd party vendor access (limited & appropriate access).

2. Access Control – Install strict access controls on all network segments to ensure how devices communicate within and across network segment(s).

3. VPN Tunnels – Create site-to-site VPN tunnels between retail location and centralized data center location to ensure all traffic originating from a POS system is always encrypted. Typically customer sensitive credit card information is encrypted when validating over internet. However, simple management data such as login credentials may not be encrypted and could pose an entry point for a security breach.

4. Security – SonicWall 2015 Annual Threat Report findings show 109% increase in the encrypted connection traffic from last year. This potentially means that attackers could be using encryption as a way to hide their malware from firewalls. It is imperative to use a Next-Generation Firewall (NGFW) that performs deep packet inspection on all traffic including encrypted ones. Deep packet inspection services such as Intrusion Prevention, Malware detection and Content Filtering are strongly recommended to reduce the risk of intrusions and malware attacks. Additionally, enable endpoint anti-virus on all POS terminals for increased security.

5. Reliability – Retail networks need to be secure, and fault tolerant with zero-downtime. For fault tolerance at smaller retail location, it is recommended to use 3G/4G backup failovers with a multi-ISP provider strategy. For heavier traffic retail location, NGFWs deployed in High-Availability mode provides for un-interrupted connectivity.

6. Guest Wi-Fi – Retail locations are increasingly using guest Wi-Fi access as a means to increase their business and stickiness with customers. For guest Wi-Fi, create a locked-down Internet-only network access for visitors or untrusted network nodes. Choose a solution that provides guest services with the latest wireless technology such as 802.11ac for increased bandwidth.

The SonicWall Next Generation Firewall based security solution provides an integrated approach to addressing all the requirements of a typical retail network. For more information on best practices for securing your retail network, download this white paper.

The Holiday Online Shopping Season is Coming Is Your Network Prepared?

Now that Halloween is over, it’s time for the holiday online shopping season to kick in, beginning on Black Friday, continuing through Cyber Monday, and finishing up on New Year’s day. For a lot of people it’s time to start spending money.

When we shop for the holidays many of us like to do it online. The National Retail Federation indicates that more than half of U.S. consumers plan to make at least some of their holiday purchases online this year. Why? Well, we can do it from anywhere at any time. It’s convenient. That includes shopping from work.

What does it mean to your organization? Well, there’s a good chance your employees will spend some of their work time shopping online over the next six weeks. Is that a potential problem? If you consider the security of your network, the productivity of your employees and the use of network bandwidth important to your organization, then the answer is yes, and here’s why.

Online shopping at work introduces security risks. For example, employees may inadvertently create opportunities for malicious attacks directed at your organization. An “attack or threat vector” is the means a hacker uses to gain access to one or more systems or servers on your network. Through the attack vector, the hacker can compromise systems on your network and deliver a malicious payload, the most common being a virus, worm, trojan or spyware. A common threat vector around the holidays is phishing. Phishing is an email fraud method in which the perpetrator sends out a legitimate-looking email instructing recipients to go to the fake website of a reputable business such as FedEx or UPS. The site will attempt to collect personal information such as the user’s name, passwords, social security number and credit card details. Another attack vector you may come across is “malvertising,” or “malicious advertising,” which is a threat that uses online advertising to spread malware. The malware can then capture information from an infected machine, or send probes around the network to find servers and other systems that can be compromised.

The security of your network isn’t the only issue your organization faces during the holiday buying season. Employees are exercising more freedom for personal activities such as online shopping during work hours. This is concerning. Why? Well, they’re shopping on company time so they’re not as productive and it’s likely they’re connecting to sites through the corporate network which could lead to a security risk as well as a misappropriation of valuable bandwidth.

Speaking of your bandwidth, there’s the question of how it’s being used. With likely over half of your employees shopping online at some point during the holidays, the bandwidth available to critical applications on your network is going to disappear. Therefore, it’s critical to prevent vital bandwidth from being consumed by non-productive web use such as online shopping, streaming music and watching HD videos which can all have a negative impact on network performance if left unchecked.

What can you do to secure your network, improve employee productivity and get the most out of your bandwidth during the holiday online shopping season? Here are a few tips:

  • Get a next-generation firewall. If you don’t have one already, next-generation firewalls secure inbound and outbound traffic from threats, provide you the tools to determine which websites your employees can and can’t access (hint – online shopping sites) and allow you to identify and control the apps used on your network and how much bandwidth you want to allocate to them. Not only that, with more websites moving to SSL encryption, it’s important that the next-generation firewall be able to decrypt and inspect encrypted traffic for threats.
  • Help your employees learn how to avoid malvertising and recognize phishing emails. Be alert for suspicious emails and links to unknown websites.
  • Educate employees to use different passwords for every account and establish policies for strong passwords.
  • Many attacks are based on known vulnerabilities in recognized browsers, as well as in plug-ins and common apps. Therefore it’s critical to apply updates and patches promptly and reliably.
  • It’s a good idea to use tools that allow IT managers to monitor the use of network applications. It’s called “Application Intelligence” and it can help you determine if anyone is violating company policies or simply visiting sites that have no business purpose such as online shopping.

SonicWall offers a complete range industry-leading next-generation firewalls including the NSA Series that integrate numerous advanced features for deep packet inspection such as Anti-Malware, Intrusion Prevention, Application Intelligence and Control, Content and URL Filtering and SSL Decryption and Inspection.

Visualization is Key to Deeper Network Security

If you follow sports at all you’ve probably heard about athletes using visualization to improve performance. It’s a simple tool where an athlete visualizes or “sees” himself or herself performing successfully in the athlete’s mind. Through visualization athletes paint a mental picture of how they will succeed and accomplish their goals.

The concept of visualization also applies to network security. If you’re an administrator it’s important that you have constant insight into what’s happening on the network. Gathering intelligence on users, applications, bandwidth consumed, etc. is a smart idea. Not only does it give you a better understanding of who’s on the network and what they’re doing, it also helps you develop a plan to optimize your network’s performance. Network visualization takes intelligence gathering a step further by providing a graphical representation of network activity. The ability to see various activities across the network in real time is a big advantage.

Want another reason why visualization is important? Most humans learn from watching. Here’s an interesting fact. According to the Social Science Research Network, 65 percent of the population are visual learners. We also process visual information much faster than information that’s text-based. It stands to reason then that having the tools to visualize network activity is critical to gaining a deeper level of security.

These days the new norm in network security is the next-generation firewall. One of the requirements of a next-generation firewall is application identification and visibility. Administrators should be able to view applications in use on the network, the amount of bandwidth and processing power they consume and who the top users are. Using this information you can make informed decisions such as which apps to allow and which to block, the amount of bandwidth to allocate to each app and whether you need to have a talk with an employee about his/her choice of websites which may potentially contain malware.

If you’re still using a legacy stateful packet inspection firewall or even a next-generation firewall to protect your network, here are 10 questions you should ask to make sure you’re getting the right level of protection from your security appliance.

Does my firewall:

  1. Gather information on critical topics such as apps, users, bandwidth consumption and threats across the network?
  2. Present the information visually in a way that makes it easy to understand?
  3. Update the information in real time so that I have the latest data?
  4. Provide daily reports on network threats (viruses, intrusions, malware) and non-essential multimedia apps (gaming, video) that have been blocked?
  5. Allow me to manage bandwidth per application and allocate more to business-critical apps while throttling those that are unproductive?
  6. Provide continual information on other vital functions such as connection count, memory and CPU usage, incoming and outgoing packets and more?
  7. Chart log activity?
  8. Offer filters that allow me to view information in multiple formats over different time periods?
  9. Enable me to export or email data directly from the firewall?
  10. Provide an intuitive dashboard that summarizes all the information I need?

Earlier I brought up the use of visualization in sports and how athletes use it to help improve their performance. Well, here’s another example of visualization, albeit in a slightly different way. The pylon cam. The pylon cam is the NFL’s latest tool for gathering information through visualization. Inside each goal line pylon is a high-definition camera that provides a field-level view across both the goal lines and sidelines. Officials can then use this information to make the correct call on critical plays. It’s an interesting use of the visualization concept to gather information and make decisions, just like in network security.

If you are interested in learning more about firewall solutions that provide application control and network visualization, take a virtual test drive of the SonicWall NSA 3600.